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(57) Abstract: Method and system for securing a data system (1) that is connected to other systems by communication means (5) 
and exchanges data with these other systems via said communication means. The most recently exchanged data is continuously 
buffered in buffer devices (2, 3). The normal operation of the data system is monitored by a monitoring device (6) that in the event 
of an abnormality in the operation of the data system activates an output device (7) in order to read out the buffered data from the 
buffer devices and to make these data available for analysis. 
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Method and system for securing a data system 

BACKGROUND OF THE INVENTION 
• The invention relates to a method for securing a data system that is 
5 connected by communication means to other systems and exchanges data 

with those other systems via said communication means. The invention 
also relates to a security system for monitoring a data system that 
exchanges data with other systems via communication means. 
Present-day (Internet) security tools can only identify known 

10 attacks against a data system. Unknown attacks are not identified 

and can disrupt services. So-called network sniffers can log all the 
traffic on a network. As the bandwidths in the networks increase, 
however, sniffers deliver an enormous quantity of information, which 
makes it impossible to examine all the sniffed traffic on arrival. 

15 "Intrusion Detection Systems" are tools which, on top of a sniffer, 

attempt in real time to correlate network streams in the search for 
attacks. Drawbacks: the increased speeds and bandwidths on networks 
make the deployment of these tools more and more difficult. At 
gigabit network speeds, there are no systems still able to 

20 abcomplish this task. 

SUMMARY OF THE INVENTION 

The present invention is based on the understanding that only at the 
moment that a data system malfunctions, for example as a result of a 

25 "data attack", is it important for the last communication with the 

server to be preserved (comparable to the "black box" in aircraft) . 
This recorded communication can then be used to analyse and 
ascertain the cause of the malfunctioning and to identify a possible 
new attack and to secure the data system against it . 

30 The method according to the invention is characterised in that 

(only) the most recently exchanged data are continuously buffered, 
the normal operation of the data system is monitored, and (only) in 
the event of an abnormality in the operation of the data system the 
buffered data are made available for analysis. A "moving window" is, 

35 as it were, placed over the exchanged (incoming and/or outgoing) 

data stream, the contents of which are not normally processed 
(analysed) . Only after an abnormality has been detected in the 
operation of the data system being secured are the contents of the 
moving window preserved so they can be analysed. The invention 

40 therefore solves the problem of the large quantity of information 

and limited analysis time by not performing analysis continuously, 
but only when necessary. 
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EMBODIMENTS 

The method according to the invention is illustrated with the aid of 
figure 1. Figure 1 shows a data system 1, provided with an input 
5 buffer device 2 and an output buffer device 3, by means of which the 

data system 1 connects to the node 4 of a network 5 to which other 
(data) systems can be connected, with which the data system 1 
exchanges data. The data system is secured by buffering the most 
recently exchanged data in the buffer devices 2 and 3. The normal 
10 operation of the data system 1 is monitored in a monitoring device 

6. The monitoring device 6 controls an output device 7 such that 
only in the event of an abnormality in the operation of the data 
system will the most recent data, buffered in the buffer devices 2 
and 3, be called up by the output device 7. The output device 7 may 
15 comprise a screen on which, after a fault has occurred in the data 

system, the data called up from the buffers 2 and 3 can be examined. 
The output device 7 can also comprise a printer. A "moving window" 
is, as it were, placed over the exchanged (incoming and/or outgoing) 
data stream, the contents of which are not normally processed 
20 (analysed) . Only after an abnormality has been detected in the 

operation of the data system being secured are the contents of the 
moving window (in the buffer devices 2 and 3 respectively) preserved 
so they can be analysed. The data exchanged in the last moments 
before the occurrence of the fault can be analysed visually by 
25 qualified personnel. Alternatively, an analysis system 8 can be 

used, possibly in addition to the aforementioned method. 
It should be noted that securing the data system 1 can also be 
achieved remotely, for example via the network 5, as shown in figure 
2. In figured the required connections between the devices 1, 2 and 
30 3 on the one hand and the devices 6 and 7 on the other are 

accomplished via the network node 4 and a network node 9. These 
connections are, of course, depending on the network, preferably 
accomplished by virtual channels. The devices 6, 7 and 8 can form 
part of a security server 10, as shown in figure 3, which can 
35 monitor a large number of data systems 1. The behaviour of the data 

systems 1 to be secured is monitored in real time from security 
server 10, which receives information from the data systems 1 to be 
protected. If a data system 1 displays deviant behaviour, the 
contents of the buffer devices 2 and 3 are "tapped" and examined by 
40 the security server, possibly with aid of automated analysis means, 

such as device 8 in figure 2. 

It is pointed out that where the above description mentions two 
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buffer devices, 2 and 3, one for incoming data and one for outgoing 
data, these functions can in practice also be performed by a single 
input /output buffer. Should a disaster occur in the operation of the 
data system 1, this I/O buffer will then be read out and the 
5 communication data present therein at that moment will be made 

available to the. device 7. 

Deviant behaviour of a data system 1 can for example be: a 
characteristic quantity deviating from its statistical value, a peak 
load, a continuous very high load, a hard disk becoming full, active 
10 processes failing, etc. 

The analysis could be used for: 

* Forensic examination and solving questions of guilt, etc. 

* Identification of (unknown) "network attacks"; the information 
thus obtained could then be used to protect the data systems even 

15 better. 
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CLAIMS 

1. Method for securing a data system that is connected by 
communication means to other systems and exchanges data with those 
other systems via said communication means, characterized in that 

5 the most recently exchanged data are continuously buffered, the 

normal operation of the data system is monitored, and in the event 
of an abnormality in the operation of the data system the buffered 
data are made .available for analysis. 

2. Security system for monitoring a data system (1) that exchanges 
10 data with other systems via communication means (5), characterized 

by buffer means (2,3) for the continuous buffering of the data most 
recently exchanged by the data system and by output means (7) for 
making the buffered data available. 

3. Security system according to claim 2, characterized by monitoring 
15 means (6) for monitoring the data system for normal operation and 

for activating the output means (7) in the event of abnormality in 
the operation of the data system. 

4. Security system according to claim 3, characterized by analysis 
means (8) for analysing the data made available by the activated 

20 output means (7) . 
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